How I Escaped a WhatsApp Scam: A Close Call with Phishing

A few weeks ago, I received a call from an unfamiliar number. The caller introduced himself as a pastor and claimed to be a member of a Christian group on WhatsApp to which I belonged. His tone was warm and friendly, and he opened with the usual pastoral salutations, immediately putting me at ease. He even mentioned that a meeting was scheduled for later that night, something I didn’t find out of place.

I thanked him for the call, assuming it was a simple check-in, and mentioned that I’d try to tune in if time permitted. He noted my interest, perhaps viewing it as a vulnerability, and decided to push further.

He informed me that the group was “marking attendance” and that an attendance number would be sent to my phone shortly. He asked me to read it back to him when I received it. At first, I was surprised. Why would a WhatsApp group need to mark attendance this way? It didn’t align with how this particular community usually operated.

Nonetheless, I checked my phone out of curiosity and saw an SMS containing a six-digit number. The message was from WhatsApp-a verification code. That’s when my mix of feelings started to solidify into suspicion.

When I told him it was a WhatsApp verification code, he insisted I read it aloud, claiming it was the "attendance number." His persistence tipped me off that something was seriously wrong.

Suddenly, it all clicked. This wasn’t just an unusual request; it was a scam. The so-called pastor wasn’t who he claimed to be. He had likely entered my phone number into WhatsApp on a different device, triggering the verification process. His goal was simple: to trick me into handing over the code so he could hijack my account.

Thankfully, I didn’t share the code. Instead, I ended the call and ran some background checks on the number he called me with, which revealed his name.

What really happened?

The attacker attempted a classic WhatsApp account takeover scam using social engineering tactics. These I will discuss below:

1. Trust Exploitation: Posing as a pastor and referencing a Christian WhatsApp group I belonged to made the call seem legitimate.

2. Urgency and Deception: Claiming attendance was being marked to create a sense of immediacy, aiming to lowering my defenses.

3. Verification Code Theft: He tried to trick me into sharing the code WhatsApp sent to verify my account, which would allow him to hijack my account and impersonate me.

Had I shared the code, he would have locked me out of my account and possibly used it to scam my contacts further.

What did I do right?

1. Questioning the Unusual: I noticed the oddity of marking attendance, which was a red flag.

2. Recognizing the Verification Code: Realizing it was a WhatsApp code instead of an "attendance number" was a brain pincher.

The Lessons I learned

This experience was a reminder of how cunning social engineering tactics can be, especially when attackers exploit trust. Here are some key takeaways from my experience:

1. Question Unusual Requests: Even when a request comes from someone claiming to be part of a trusted community, pause and think. Does the request make sense in the given context?

2. Never Share Verification Codes: Verification codes are personal. No legitimate organization or individual should ever ask for them. Not your bank, school, or organization.

3. Enable Two-Step Verification: Adding an extra layer of security to your account can prevent unauthorized access, even if your verification code falls into the wrong hands.

4. Stay Alert for Social Engineering Tactics: Attackers often use urgency, authority, or familiarity to manipulate their targets. Recognizing these tactics can help you avoid falling victim.

Moving forward, while this was a close call, it could have been much worse. Scammers rely on exploiting trust and moments of uncertainty. We can protect ourselves and our digital identities by staying vigilant and questioning odd behaviour.